Help Center

Follow

Service Manager Access Denied

Purpose:
You receive an error, Access denied to the computer's service manager on the target computer.

Resolution:
This security error may be caused by the user account not being an administrator of the target machine, the User token has become corrupted, a restart of the background service is required, or the RPC/TCP connection timed out.

In some instances this error only appears when deploying or scanning Windows 7 and Windows 2008 R2 targets that have their Windows Firewall turned off.

Credentials:
Ensure the deploy or scan user in Options > Credentials is a member of the target computer's Administrator group or is otherwise an administrator of the computer.

You may need to change the authentication used when deploying to the target computer. For example, if the target is a Windows 7 or Windows 2008 R2 computer and the Windows Firewall is turned off (and needs to stay off) then the user credentials that run the Background Service must have Administrative rights on the target machines. You can configure the Background Service credentials via Options > Background Service.

Restart the Background Service:
Go to Options > Background Service and restart the service. Retry the scan or deployment.

Modify Service Manager TCP Connection:
If the problem persists after restarting the background service, you may need to modify the Service Manager TCP Connection settings in Options > Preferences >  Performance. Try setting the value to Timeout to 5 seconds. If the problem still persists try the Disabled value.

If the problem still persists after setting the Service Manager TCP connection to Disabled, there may be an issue where the registry value is not being set to disable to Service Manager TCP Connection. In this case, perform the following:

  1. On the PDQ console machine, open regedit and navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\
  2. If it exists, modify the REG_DWORD value data of SCMApiConnectionParam to 0x80000000.
  3. If it does not exist, create a REG_DWORD value SCMApiConnectionParam and set the value data to to 0x80000000
    rpc-tcp.png
  4. Once the value is set, restart the Background Service from within the program (Options > Background Service) or by opening services.msc and restarting the service.

Verify PDQ Inventory or PDQ Deploy Service is Not Running as Local System:
Occasionally the Background Service (Options > Background Service) credentials aren't honored in the actual Windows' services for PDQ Inventory and PDQ Deploy. In these cases open up services.msc and verify that the Log On As value is NOT set to Local System. If it is, you may need to change the logon value inside of Services to match the credentials specified in the Background Services panel. Please see this article for more information: The Service Did Not Start Due To A Logon Failure.
rpc-tcp2.png

 

Was this article helpful?
4 out of 5 found this helpful
Have more questions? Submit a request

41 Comments

  • 0

    I have this error on my Windows 7 domain workstations, but not on Windows XP. Any ideas?

  • 0

    There may be a security policy in place preventing access to the service manager, or perhaps a firewall.

    You can verify access to the service manager by trying to connect to it from your workstation using the Windows Services console (services.msc). This may provide you with some additional information why it's not connecting.

  • 0

    I've encountered this problem today too. I did not have this problem 2 weeks ago. Remote admin repair results are OK. I can connect using services.mmc without problems. The computer is running Win7 Pro SP1.

    I've used the same domain\username credentials for deployments which secceded. Rebooting the computer did not help. There are also no errors in the event log.

  • 0

    Another user ran into this last week with the same symptoms you describe.  Which computer did you reboot, the console computer or the target computer?  In their case it was the console computer they rebooted, though restarting the PDQDeploy service would probably have done it as well.  Somehow the security token used by the service became invalid, but only partially so, as it could still authenticate to some services but not all.  That's why services.mmc and remote admin repair still worked because they were using the security token of the logged on user, not the service.

    If you've tried rebooting the console computer, then try resetting the service authentication by setting it to Local System and then back to the admin user.  That may flush out any cached security datay.

  • 0

    I've rebooted the remote computer, not the console one. Ok, next time I encounter this problem I'll try to restart the PDQDinventory service and I'll let you know about the outcome.

  • 0

    I've run into the same issue - all my Win 7 machines are giving me the Service Manager Access Denied error, regardless of the actions mentioned above. Any update?

  • 0

    Paul,

    Can you run the Remote Admin Repair utility in the PDQ program folder?  Run it on the PDQ console computer and switch to "Other Computer". Make sure to set "Authenticate as" to the same credentials you used when you got the error (the scan user or the deployment user, whichever you were using).  

    This will attempt to connect to the target computer in the same way that the background service does.  If this works reboot and try again. If it's still working in repair but not in the product then submit the error to us using the Diagnose link next to the error.  This will send some diagnostic information which  may be helpful in tracking down the problem.

  • 0

    Thanks for the quick reply! The repair tool shows no issues (0 issues failed) both before and after reboots of both the target and deployment machine. I've sent the diagnostic information.

  • 0

    The recent problem affecting Windows 7 targets has been resolved in the next version of PDQ Deploy (1.5 Release 3). This release will go into public beta in the next few days. To be notified via email of future versions fill out this form. To be notified of future versions within the PDQ Deploy console go to the Auto Update panel under  File > Preferences and select the appropriate settings. 

    If you would like a pre-beta release to resolve this problem contact us at support at adminarsenal.com.

  • 0

    What has caused this problem?

  • 0

    PDQ Inventory and Deploy were opening the remote service manager by passing in a set of requested rights: Enumerate services, create services, and delete services.  Remote Admin Repair opens the service manager by requesting all rights, which amounts to essentially the same thing.  But a recent update of Windows 7, combined with a particular set of GPOs, was causing the first method to fail while the second succeeded.  It's very odd and is most likely a bug in Windows 7.  To get around it we changed the PDQ apps to connect requesting all rights the same as repair does.

  • 0

    Thanks for the info Adam.

    It might be an issue I've encountered a month ago (not related to PDQ) where Windows 7 had some saved credentials (outlook to exchange, using a different account). Win 7used that saved credentials for the network connection of the logged in user to the server. I opened a ticket at Microsoft support, but no one could help. The only option was to delete the saved credentials, reboot and recreate the secondary access.

    I've had this problem on 3 Win 7 machines. Simply strange. I am mentioning it here in case some one encounters this problem.

  • 0

    Adam,

    FYI -- I just encountered the same error in PDQ Inventory (1.1.2).  I first attempted to deploy a hotfx to a Win 7 computer that was offline at the time and it failed (of course).  I then started the computer that gave the error, fired up PDQ Inventory on my console and attempted to run a Inventory which failed with the error discussed here.  After reading this discussion, I stopped both PDQ Deploy and PDQ Inventory services, then restarted both and reran the inventory -- which worked this time.  

  • 0

    Gerry,

    Thank you, we've been getting more reports of this lately.  We're looking into some workarounds.

  • 0

    Hello All, same problem on 20 pcs with Seven. PDQ Inventory version is 1.1.2.0.

    GOOD WORK ADAM    :)

  • 0

    *** Possible Workaround ***

    I am also running version 1.1.2.0 and tried to stop/start the services but did not resolve the issue. I then used another set of credentials stopped/started the services and noticed the new credentials did not update on PDQ services. I manually updated the logon credentials on PDQ Inventory services and again stopping/restarting the services and this time the scan worked perfectly. Added the same credentials to PDQ Deploy and I'm back chugging along gathering my info. Target machines affected were also win7 machines.

    Perhaps the ones still having this issue are using credentials with insufficient rights to the target machines? Just a thought?

    Admin Arsenal Team - THANK YOU providing tools that help me work smarter and not harder

  • 0

    I just got this issue showing its ugly face to me. I ran a deployment of 58 computers, 19 were successfull and 8 of them failed with this error. Some of these are xp but most are 7. Ran the admin diagnostic, which failed. attempted to run the fix on the local and it ran the diag on the device and found no issues.

    Attached is the error that each of them received.

  • 0

    Todd,

    This error is usually cased by either the user account used by the deployment not being an administrator or a GPO altering the security descriptor of the service manager (though that's much less common).  You can verify the security descriptor by running the sc.exe tool on the target computer:

    sc sdshow scmanager

    It should return this value (there may be some additional data after the BA)

    D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)

  • 0

    I ran into the same issue. Firewall is off, same administrator account on server and targets. Iam using PDQ Deploy 2.0.1.0. I am trying to deploy to about 150 Windows 7 PCs from 5 servers (about 30 PCs per server and different LAN). Nearly the half shows "Access denied to the admin share". I found out that I could not change the security settings of the windows folder on those computers. All check boxes are greyed out. I could only take ownership of this system folder. That changes the deployment error to "Access denied to the computer's service manager". Hope this hint helps to find a workaround.

    All found advices did not help. The only workaround for me at the moment is to restore an image of a working PC to the failing computers.

  • 0

    I'm having this same issue with my Windows 7 sp1 computers...

    Windows Firewall is on and it must be on in my environnement. What exceptions, ports do I have to add to windows Firewall in order to make it work?

     

     

  • 0

    Hi Bruno,

    If you run the Windows Firewall you just need to allow some basic exceptions. They are listed here. 

    Firewall Ports and Exceptions

    If you are getting the Service Manager Access is Denied error, then the firewall is allowing you on to the target system already (this error only shows up after a successful connection to \TargetComputer\ADMIN$)

    Try restarting the background service. (File > Preferences > Background Service) This usually clears the problem right up. If that doesn't solve the problem please verify that the credentials used to run the Background Service have Admin rights on the target computers.

  • 0

    FYI I just updated the free version PDQ inventory 2.0 (Release 4) this morning and now when I try to do a scan to any machine I receive Access Denied to Computers Service Manager on any Windows Machine.

  • 0

    Rich,

    Check the PDQInventory service using the Windows control panel and see if the log on account has been changed to Local System.  If so, close down the PDQ Inventory console and stop the service then start the Console and it should be set back to the correct user account.

  • 0

    I have the weirdest issue.  All my computers have Windows 7 Pro, and my AD account is part of a group that is added to all local administrator groups on those machines.  When I attempt to roll out a program, it fails to create the service but when I run the Remote Repair, everything has a green checkmark.  I have PDQ Deploy open as the admin user, the same one which I am using to connect/deploy the package.  Any ideas? 

  • 0

    Please disregard, I figured it out - changed the background service user credential. 

  • 0

    Adam,

    Thank you for that last post.. That happened to me on my PDQ inventory upgrade exactly.. Even after a reboot the service was still attempting to scan with local system.. Followed your suggestions and presto... issue resolved.

  • 0

    Couple things....how do I scan one computer instead of rescanning all of them all the time...
    -I have unc access and no services are installing..(pdq inventory agent) thus I have this error
    -Scan credentials are domain admin..(domain admin are local admin to all pc's)
    -no firewall at all on this pc...win7 64 bit sp1
    -what I need is a way to push cmdline install of agent of something similar so I can create a batch...enter the pc name...and fix this and move along fast...
    restarted bits...no idea what the problem is...this pc is also local to this network...
    I have this issue on about 15 or more pc's
    I can visit the c$ share at will without issue...

  • 0

    On your console machine go to File > Preferences > Performance. Change the Service Manager TCP Connection value to Disabled. Then retry the scan.

    If that doesn't work, please stop and restart the background service and then retry the scan. If you get the same error make sure that the credentials running the background service (Preferences > Background Service) have admin rights on the target computer. We have seen problems in situations where the credentials running the background service (not the scanning credentials) need to be an admin on the target. This usually happens when the Firewall service is NOT running on the target.

  • 0

    Disabling TCP Connection fixed my issue. :) You are a Sir.

  • 0

    Shane Corellian - you are a genius man! trying to figure out this issue for some time now and disabling tcp do the trick! thanks!

Article is closed for comments.
Powered by Zendesk